Art Businesses Are Uniquely Susceptible to Cybercrime. Here Are a Few Simple Ways to Protect Yours, According to Top Experts

As an industry that still finalizes multimillion-dollar deals over email, the art trade has special vulnerabilities.

This is how we buy things now. (JOHANNES EISELE/AFP via Getty Images)

Forget art thieves. The art trade has a new foe: cybercriminals. 

Almost 60 percent of galleries surveyed in the 2020 Hiscox Online Art Trade Report were either “concerned” or “very concerned” about cybercrime—a big leap from the previous year.

This rising anxiety makes sense: the pandemic, the craze for NFTs, and a collector base newly rich in cryptocurrency have all served to shift transactions into the virtual sphere. 

New government regulations are also poised to pull the notoriously tech-phobic art trade into the 21st century. With the new anti-money laundering regulations for the U.K. art market coming into full effect on June 10, and additional measures on the horizon in the E.U. and the U.S., it will not be long before sensitive information essential to compliance is stored, regulated, and transferred entirely online.

As online activity essential to the prosperity of the art market mushrooms, so the risk of cybercrime increases to match it.

Art market professionals will need to become as savvy about cybersecurity as they are about spotting a great work of art. A simple oversight can have a huge impact. When the Rijksmuseum Twenthe was finalizing the purchase of a Constable painting from the dealer Simon C. Dickinson, the museum failed to confirm the gallery’s bank details by phone—and ended up sending £2.4 million directly to scammers who had intercepted the email exchange. (And this is far from the first case of email interception in art payment.)

Dickinson's lawyer, Bobby Friedman, says the Rijksmuseum should have independently confirmed the legitimacy of the account before wiring the money, adding that his client, a specialist in Old Master paintings, was never aware any fraud was taking place. Each side is accusing the other of being of having been hacked. "Instead of accepting the reality of the situation, the museum has reacted by pursuing a series of hopeless claims against [Dickinson], in the hope of pinning the blame for the museum’s mistake on [the dealer],” Friedman wrote in a submission to the court. While the case isn’t settled, a London judge has ruled against the museum’s current claims for damages. But he has left the door open for the museum to modify its case and continue pursuing it. Meanwhile, the museum is holding onto the painting and preventing Dickinson, who remains unpaid, from selling the work to another buyer.  Arnoud Odding, the Rijksmuseum’s director, first became interested in Constable’s 1824 painting A View of Hampstead Heath: Child’s Hill, Harrow in the Distance upon seeing it at Dickinson's TEFAF booth in Maastricht in 2018. Neither Dickinson nor the Rijksmuseum responded to Artnet News's requests for comment.

John Constable, A View of Hampstead Heath: Child’s Hill, Harrow in the Distance (1824).

Similar hijacking has also taken place on NFT sales platforms like Nifty Gateway, where criminals hacked users’ passwords, purloined and resold digital art stored in their accounts, and compromised credit card information. 

As technology develops, so does the criminal mind.

Mitigating risk means thinking critically about the four variables involved in any art-market transaction—the seller, the buyer, the art, and the money—as touchpoints for cybersecurity. Fraud and money-laundering are the main considerations here, but the ripples that spread out from them lead to other security concerns: client data, data systems integrity, the transaction process, and fulfillment.

Here is the latest on how to keep your business protected. 


What are the three commandments of cybersecurity, according to experts?

  1. Don’t rush. The time you save cutting corners may come back to bite you later on.
  2. Keep good records—and store them somewhere safe.
  3. Stay alert. You own attention is your best weapon against cybercrime. 

What is the greatest area of risk?

“Email and phishing scams,” said David Preston, the U.K. general manager of Crown Fine Art, a global fine-art logistics firm. “You can generally spot them from the email account used or the language, which isn’t in keeping with the client you know, or the market.” 

At the very least, all businesses should have up-to-date cyber security software, such as ESET Cyber Security Pro.

But while software may keep your own accounts safe, you also need to remain alert as a reader. “We have exceptionally good IT security at Crown, but you’re only as strong as the weakest link, and that could actually be the client’s email being intercepted,” Preston explained. 

One simple way to confirm the sender is who they say they are: click on the name to confirm the real email address. If the “from” field says “Francois Pinault” but the email address is one letter off or from an unusual domain (say, [email protected]), you are probably dealing with a fraudster. 

Phishing and email scams can also lead to broader hacks, notes Chris King, the C.T.O. of anti-money-laundering compliance specialists ArtAML. While firewalls and virus scanners provided by Microsoft and Google can help flag suspicious activity, he noted, “they will not protect against attacks upon unwary staff clicking on links they really shouldn’t.”

A watchdog group claims a German artist may be the mastermind behind a group that is angling for QAnon supporters. (Photo by Karl-Josef Hildenbrand/picture alliance via Getty Images)

When it comes to cybercrime, your best weapon is your own awareness. (Photo by Karl-Josef Hildenbrand/picture alliance via Getty Images)

What are the common traps that clients can fall into and how can they avoid them?

The riskiest part of an online transaction, according to experts, is collecting identity documents or other sensitive information via email. “There are many, many examples of email systems being compromised, leading to payments being sent to an account run by fraudsters,” King noted. As an alternative to email, consider using WeTransfer; password-encrypted files can and should be sent separately via WhatsApp, Teams, or another secure platform.  

But before you send sensitive information, remember to follow up the old-fashioned way. “Check in person by telephone before paying via any link,” Preston advised. ”If something looks suspicious, just stop. There is no rush; in the art market, the client is king.”

Other tips for the trade: keep operating systems up to date and make sure sensitive information is backed up using password-encrypted files on an external hard drive. Be discreet about what sort of files you have and how employees and clients can access them.  

“The art market is relatively small, and word travels fast,” Preston said. “If you use a less than reputable shipper, you’ll risk people finding out. Loose lips sink ships!”

What would an ideal due diligence process look like?

Be careful to collect documents that prove a client’s identity, including photo ID and proof of address—even if you’ve corresponded by email before. But be aware: this is extremely sensitive personal data and must be held for five years after collection if you are in the U.K., according to King. (You might consider storing it in an art shippers’ secure online storage portal.) And don’t forget GDPR in the E.U., which still applies. 

“AML risk assessment requires active participation—it’s not passive,” King said. “An approach to cyber security should be the same.”

Establishing a culture of alertness and sound judgment is the first step in any overall policy of security and compliance. Regular training helps keep everyone up to date on the latest threats. Corinth Consulting Group, run by Sotheby’s former global compliance director Rena Neville, is one of several firms helping prepare businesses in the UK for the June 10 enforcement date.

“A healthy security culture exists when an organization’s security-related beliefs, behaviors, and values have been codified into social expectations,” added Perry Carpenter, security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform.

Establishing a cross-company culture of alertness and responsibility, from the boss to the new recruit, is the best protection you can have. 

So, to sum up: in order to stay ahead of cybercriminals in the art business, stay alert, take your time, and know who you are dealing with.

Follow Artnet News on Facebook:

Want to stay ahead of the art world? Subscribe to our newsletter to get the breaking news, eye-opening interviews, and incisive critical takes that drive the conversation forward.
Article topics